From c212768e8fb480bd910286a5154027fe6ece08f4 Mon Sep 17 00:00:00 2001
From: Mick Grove <mick.grove@mongodb.com>
Date: Sun, 8 Mar 2026 13:44:19 -0700
Subject: [PATCH] rule improvements to reduce FP's

---
 .../kingfisher-rules/data/rules/atlassian.yml |  3 +-
 .../data/rules/azurestorage.yml               | 29 ++++++++++---------
 crates/kingfisher-rules/data/rules/google.yml | 14 +++++++--
 crates/kingfisher-rules/data/rules/redis.yml  |  2 +-
 .../data/rules/salesforce.yml                 | 14 +++++++++
 crates/kingfisher-rules/data/rules/square.yml |  1 +
 6 files changed, 46 insertions(+), 17 deletions(-)

diff --git a/crates/kingfisher-rules/data/rules/atlassian.yml b/crates/kingfisher-rules/data/rules/atlassian.yml
index 91c03ef..8393588 100644
--- a/crates/kingfisher-rules/data/rules/atlassian.yml
+++ b/crates/kingfisher-rules/data/rules/atlassian.yml
@@ -13,10 +13,11 @@ rules:
       \b
     pattern_requirements:
       min_lowercase: 1
+      min_digits: 2
     min_entropy: 3.5
     confidence: medium
     examples:
-      - Atlassian_key = "DjayBenyJrtpvydFCzAphcqc"
+      - Atlassian_key = "DjayBeny2rtpvydF4zAphcqc"
       - "ATLASSIAN_API_TOKEN:'abcdef1234567890abcdef12'"
     references:
       - https://developer.atlassian.com/cloud/admin/organization/rest/api-group-orgs/#api-v1-orgs-get
diff --git a/crates/kingfisher-rules/data/rules/azurestorage.yml b/crates/kingfisher-rules/data/rules/azurestorage.yml
index bd3925d..1bf3cb5 100644
--- a/crates/kingfisher-rules/data/rules/azurestorage.yml
+++ b/crates/kingfisher-rules/data/rules/azurestorage.yml
@@ -32,20 +32,23 @@ rules:
     id: kingfisher.azurestorage.2
     pattern: |
       (?xi)
-      azure
-      (?:.|[\n\r]){0,128}?
-      (?:SECRET|PRIVATE|ACCESS|KEY|TOKEN)
-      (?:.|[\n\r]){0,128}?
-      ["':\s=}\]\)]
-      (
-          (?:
-              [A-Z0-9+\\/-]{86,88}={1,2}
-          )
-          |
-          (?:
-              [A-Z0-9+\\/-]{86,88}\b
-          )
+      \b
+      (?:
+        azure(?:[_\s-]*storage)?
+        (?:[_\s-]*(?:account[_\s-]*key|storage[_\s-]*key|shared[_\s-]*key|access[_\s-]*key|accountkey))
+        |
+        account[_\s-]*key
+        |
+        storage[_\s-]*key
       )
+      \b
+      (?:.|[\n\r]){0,24}?
+      [ \t]*[=:][ \t]*
+      ['"]?
+      (
+        [A-Z0-9+\\/-]{86,88}(?:={1,2})?
+      )
+      ['"]?
     pattern_requirements:
       min_digits: 2
       min_uppercase: 2
diff --git a/crates/kingfisher-rules/data/rules/google.yml b/crates/kingfisher-rules/data/rules/google.yml
index 70b2df0..8e7acdc 100644
--- a/crates/kingfisher-rules/data/rules/google.yml
+++ b/crates/kingfisher-rules/data/rules/google.yml
@@ -28,10 +28,14 @@ rules:
     id: kingfisher.google.3
     pattern: |
       (?xi)
-      client.?secret .{0,10}
+      client.?secret
+      (?:.|[\n\r]){0,10}?
+      [ \t]*[=:][ \t]*
+      ['"]?
       (
         [a-z0-9_-]{24}
       )
+      ['"]?
       (?: [^a-z0-9_-] |$)
     pattern_requirements:
       min_digits: 1
@@ -80,7 +84,13 @@ rules:
         (GOCSPX-[A-Z0-9_-]{28})
         |
         (?:
-          (?i) client.?secret .{0,10} \b ([A-Z0-9_-]{24})
+          (?i)
+          client.?secret
+          (?:.|[\n\r]){0,10}?
+          [ \t]*[=:][ \t]*
+          ['"]?
+          \b ([A-Z0-9_-]{24})
+          ['"]?
         )
       )
       (?:[^A-Z0-9_-] | $)
diff --git a/crates/kingfisher-rules/data/rules/redis.yml b/crates/kingfisher-rules/data/rules/redis.yml
index 27da1b8..0330a1b 100644
--- a/crates/kingfisher-rules/data/rules/redis.yml
+++ b/crates/kingfisher-rules/data/rules/redis.yml
@@ -85,7 +85,7 @@ rules:
       (?:PASSWORD|PASS|PASSWD|AUTH|SECRET|TOKEN)
       \b
       (?:.|[\n\r]){0,24}?
-      [=:\s]+
+      [ \t]*[=:][ \t]*
       ['"]?
       (?P<password>[a-zA-Z0-9%;._~!$&'()*+,;=/*+-]{8,64})
       ['"]?
diff --git a/crates/kingfisher-rules/data/rules/salesforce.yml b/crates/kingfisher-rules/data/rules/salesforce.yml
index f384273..0acfb88 100644
--- a/crates/kingfisher-rules/data/rules/salesforce.yml
+++ b/crates/kingfisher-rules/data/rules/salesforce.yml
@@ -209,6 +209,10 @@ rules:
     min_entropy: 3.5
     pattern_requirements:
       min_digits: 3
+      ignore_if_contains:
+        - "www.w3.org"
+        - "/2001/"
+        - "/XMLSchema"
     confidence: medium
     examples:
       - |
@@ -309,6 +313,16 @@ rules:
       min_digits: 4
     min_entropy: 3.6
     confidence: medium
+    validation:
+      type: Http
+      content:
+        request:
+          method: GET
+          url: "https://login.salesforce.com/services/oauth2/authorize?response_type=code&client_id={{ TOKEN }}&redirect_uri=https%3A%2F%2Fexample.com%2Fcb"
+          response_matcher:
+            - report_response: true
+            - type: StatusMatch
+              status: [200]
     examples:
       - 3MVG9P8aWj9n4kT2xQ5mV7rY1bC3dF6gH8jK0mN2pR4tU6wX8zA1cE3gH5kM7qS9uV2xY4bD6fJ8nP1rT3vW5yZ7
     references:
diff --git a/crates/kingfisher-rules/data/rules/square.yml b/crates/kingfisher-rules/data/rules/square.yml
index a694632..c463b68 100644
--- a/crates/kingfisher-rules/data/rules/square.yml
+++ b/crates/kingfisher-rules/data/rules/square.yml
@@ -7,6 +7,7 @@ rules:
       (
         EAAA[a-zA-Z0-9\-\+=]{60}
       )
+      \b
     pattern_requirements:
       min_digits: 4
     min_entropy: 3.3